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Abstract 

We  present  a  logic  for  analyzing  cryptographic  proto¬ 
cols.  This  logic  encompasses  a  unification  of  four  of 
its  predecessors  in  the  BAN  family  of  logics,  namely 
those  given  in  [GNY90],  [AT91],  [v093],  and  BAN  it¬ 
self  [BAN89].  We  also  present  a  model-theoretic  se¬ 
mantics  with  respect  to  which  the  logic  is  sound.  The 
logic  herein  captures  all  of  the  desirable  features  of  its 
predecessors  and  more;  nonetheless,  it  accomplishes  this 
with  no  more  axioms  or  rules  than  the  simplest  of  its 
predecessors. 

Introduction 

In  the  late  eighties  Burrows,  Abadi,  and  Needham  de¬ 
veloped  BAN  logic  [BAN89],  which  quickly  became  the 
most  widely  used  and  widely  discussed  formal  method 
for  the  analysis  of  identihcation/authentication  proto¬ 
cols,  particularly  authenticated  key  distribution  proto¬ 
cols.  There  have  since  been  a  number  of  papers  not¬ 
ing  BAN’s  inability  or  limited  ability  to  reason  about 
some  features  of  both  protocols  and  attacks  on  pro¬ 
tocols.  This  has  led  several  authors  to  propose  alter¬ 
natives  to  BAN.  Many  of  these  proposed  alternatives 
are  essentially  extensions.  These  extensions  yield  an 
increase  in  reasoning  power;  however,  collectively  they 
accomplished  this  via  a  large  number  of  linguistic  and 
logical  additions.  As  a  result,  one  may  be  left  unsure 
about  the  assumptions  and  meanings  implicit  in  the  ap¬ 
plication  of  these  logics.  Perhaps  more  significantly,  one 
becomes  increasingly  unsure  about  the  soundness  of  the 
reasoning  that  results.  Relatedly,  the  simplicity  that 
was  part  of  BAN’s  basic  appeal  is  lost. 

This  paper  presents  a  logic  that  encompasses  three  of 
these  logical  expansions,  those  presented  in  [GNY90], 
[AT91],  and  [v093].  (Henceforth  these  logics  will  be  re¬ 
ferred  to  as  ‘GNY’,  ‘AT’,  and  ‘VO’,  respectively.)  And, 
since  these  are  essentially  expansions,  this  logic  encom¬ 
passes  BAN  itself  as  well.  GNY  and  AT  add  to  and  re¬ 
formulate  BAN  to  better  reason  about  the  same  class  of 
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protocols.  VO  adds  rules  to  reason  about  key-agreement 
protocols.  Our  logic  captures  virtually  all  of  the  de¬ 
sirable  features  of  those  logics.  However,  rather  than 
simply  tacking  together  the  notation  and  rules  from 
all  of  these  we  adopt  an  integrated  approach,  designed 
to  yield  a  logic  that  is  sound  with  respect  to  a  sin¬ 
gle,  relatively  simple  model  of  computation.  Thus,  this 
paper  also  presents  a  semantics  underlying  these  log¬ 
ical  expansions.1  This  will  be  of  manifold  advantage. 
First,  some  of  these  logics,  including  BAN  itself,  have 
been  questioned  before  for  lacking  an  independently 
motivated  semantic  foundation.  (Cf.,  e.g.,  [Syv91].) 
Amongst  other  things,  such  a  foundation  can  give  us 
assurance  that  the  reasoning  in  the  logic  is  sound  (i.e. , 
false  conclusions  cannot  be  derived  from  true  premises.) 
BAN  was  essentially  given  such  a  semantic  foundation 
by  Abadi  and  Tuttle  in  [AT91].  The  model  of  com¬ 
putation  and  semantics  herein  is  motivated  by  Abadi 
and  Tuttle’s  but  differs  from  it  in  fundamental  ways. 
Second,  having  a  fairly  detailed  model  eliminates  much 
of  the  confusion  that  can  arise  over  the  meaning  of  for¬ 
mal  expressions  and/or  the  applicability  of  logical  rules. 
That  is,  since  we  can  look  at  the  semantic  interpretation 
of  an  expression,  we  can  make  better  decisions  about 
whether  that  expression  really  says  what  we  intend  to 
say  in  a  given  circumstance.  This  helps  in  the  protocol 
idealization  step  of  a  BAN  or  BAN-like  analysis.  Third, 
by  serving  as  a  common  semantics,  it  allows  us  to  view 
the  extensions  from  a  single  perspective.  Contrary  to 
first  appearances,  this  need  not  result  in  an  overly  com¬ 
plex  logic.  For,  as  a  unifying  model  for  comparison, 
it  allows  us  to  see  what  aspects  of  each  logic  can  be 
captured  by  others  and  what  not.  There  is  thus  a  fair 
amount  of  syntactic  reduction  since  primitives  of  one 
language  are  often  definable  in  another.  On  the  logical 
level  there  is  a  similar  amount  of  axiom  chopping.  The 
result  is  a  logic  that  is  surprisingly  simple. 

In  the  next  section  of  the  paper  we  present  a  formal  lan- 


1  We  refer  here  to  a  model  theoretic  semantics  for  a  logic.  This 
is  not  to  be  confused  with  a  semantics  for  computer  programs, 
which  is  generally  any  mathematical  interpretation  (formal  or  in¬ 
formal)  of  programming  constructs. 
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guage  and  logic,  and  we  describe  the  procedure  whereby 
these  are  to  be  applied  in  protocol  analysis.  (Hence¬ 
forth  this  logic  will  be  called  ‘SVO’.)  In  §2  we  present  a 
model  of  computation  and  a  semantics  for  the  language 
presented  in  §1.  The  remainder  of  the  paper  looks  at 
the  language  and  logic  of  GNY  and  VO  in  comparison 
to  SVO.  In  particular  we  consider  how  to  capture  in 
SVO  the  linguistic  expressibility  and  logical  derivability 
of  GNY  and  VO.  We  do  not  present  a  separate  sec¬ 
tion  for  comparative  discussions  of  AT.  AT  is  the  only 
previously  given  logic  with  a  model-theoretic  semantics. 
Comparisons  between  AT  and  SVO  syntax  require  a  se¬ 
mantic  context  as  well,  and  space  limitations  preclude 
an  adequate  presentation  of  the  full  Abadi- Tuttle  se¬ 
mantics.  We  therefore  make  comparative  comments  at 
appropriate  points  throughout  §  §  1  and  2. 

1  Syntax 

We  will  now  present  a  logic  capturing  the  desirable  prop¬ 
erties  of  BAN,  AT,  GNY,  and  VO  that  is  both  sound 
and  relatively  easy  to  use.  Our  presentation  follows  the 
structure  of  [AT91],  with  some  important  differences. 

1.1  The  Language 

We  begin  with  a  definition  of  our  language.  Following 
Abadi  and  Tuttle,  we  reflect  that  we  are  looking  at  ideal¬ 
ized  protocols  and  are  hence  representing  the  sending  of 
messages  composed  of  expressions  in  a  language  rather 
than  mere  bitstrings.  However,  we  expand  the  language 
slightly  to  cover,  e.g.,  public  keys,  functions,  and  mes¬ 
sage  comprehensibility.  We  also  contract  the  language 
by  doing  away  with  separate  syntax  for  forwarded  mes¬ 
sages  and  for  binding  messages  to  shared  secrets.  (The 
first  is  eliminated  because  we  have  no  current  use  for  it. 
The  second  is  eliminated  because  its  contributions  are 
captured  in  our  language  by  other  means.) 

We  assume  the  existence  of  a  set  To  of  primitive  terms 
containing  a  number  of  disjoint  sets  of  constant  symbols 
representing  principals,  shared  keys,  public  keys,  private 
keys,  numerical  constants,  etc.  Building  recursively  on 
To,  we  have  n-ary  function  symbols  representing  func¬ 
tions  of  n  variables,  for  finite  n,  e.g.,  simple  arithmetical 
functions,  encryption,  etc.  In  addition  to  these  is  a  set  of 
primitive  proposition  constants.  These  represent  atomic 
propositions,  which  take  the  value  true  or  false.  The  full 
set  of  terms  is  called  ‘T’.  We  actually  require  two  for¬ 
mal  languages,  one  for  messages  and  one  for  formulae. 
Only  formulae  can  be  true  or  false  or  have  principal’s 
beliefs  attributed  to  them.  On  the  other  hand,  some 
messages  are  not  formulae,  e.g.,  a  message  consisting  of 
a  name  and  a  nonce.  References  to  the  language  of  SVO 
are  meant  to  encompass  both  languages. 

Messages  and  formulae  of  the  language  are  built  from  T 
by  mutual  induction.  The  language  of  messages,  Mr , 
is  the  smallest  language  over  T  satisfying: 


•  X  is  a  message  if  X  £  T, 

•  F(X\ ,  .  .  . ,  Xn)  is  a  message  if  X\ ,  .  .  . ,  Xn  are  mes¬ 
sages  and  F  is  any  function  (including,  e.g.,  ordered 
n-tuples,  (Yi,  .  .  . ,  Xn),  and  encryptions,  {X}k), 

•  ip  is  a  message  if  ip  is  a  formula. 

The  language  of  formulae,  Tr,  is  the  smallest  language 
satisfying: 

•  p  is  a  formula  if  p  is  a  primitive  proposition, 

•  -i ip  and  ip  Aip  are  formulae  if  ip  and  ip  are  formulae 
(other  connectives  are  definable  in  the  usual  man¬ 
ner), 

•  P  believes  ip  and  P  controls  ip  are  formulae  when  ip 
is  a  formula  and  P  is  a  principal, 

•  P  sees  X ,  P  received  X ,  P  says  X ,  P  said  X ,  and 
fresh(X)  are  formulae  when  X  is  a  message  and  P 
is  a  principal, 

•  P  ee  Q,  PK(P,  K),  and  P  has  K  are  formulae 
when  P  and  Q  are  principals  and  K  is  a  key. 

Most  of  the  expressions  just  given  either  are  standard 
notation2  or  should  be  intuitively  clear.  We  give  a  brief 
intutive  description  here  for  those  that  may  not  be. 

‘ P  controls  ip’  indicates  that  P  is  a  trusted  authority 

on  ip.  If  P  says  ip,  then  ip  is  so.  lP  Q ’  indicates 
that  K  is  a  key  shared  exclusively  by  P  and  Q.  No  one 
other  than  P  or  Q  will  ever  encrypt  messages  using  K , 
and  only  P,  Q,  and  those  they  trust  (e.g.,  a  server  who 
might  generate  it)  know  K.  ‘PK(T,  A')’  is  used  simi¬ 
larly  for  public  keys.  K  is  P’s  public  key,  and  ‘A’-1’ 
is  used  exclusively  to  refer  to  the  corresponding  pri¬ 
vate  key.  (We  actually  have  distinct  notation  for  public 
keys  for  encryption,  signature,  and  key  agreement,  viz: 
PK^(T,  A'),  PKCT(T,  A'),  and  PK^(T,  A'),  respectively. 
These  will  be  discussed  below  in  §2.2.) 

A  few  more  notes  on  notation:  Typically  ‘{Y}x’  is 
meant  to  refer  to  transformations  of  X  using  K.  We 
mean  specifically  to  include  digital  signatures  under  this 
notation  as  well  as  shared  and  public  key  encryption. 
We  may  occasionally  write  c{Xp}k’  to  indicate  that  a 
message,  X,  is  from  P.  We  do  not  simply  write  it  as 
an  encrypted  from  Held  since  other  mechanisms  may  be 
used,  e.g.,  direction  bits.  P  is,  however,  written  inside 
the  scope  of  the  encryption  to  indicate  that  it  is  con¬ 
sidered  bound  to  the  message  in  a  secure  manner.  We 
assume  principals  to  be  competent  (though  not  neces¬ 
sarily  honest)  in  setting  from  fields. 

2We  use  ' Ij ’  (pronounced  “horseshoe”)  rather  than  ' —  to  rep- 
resent  the  conditional  to  avoid  confusion  with  the  standard  nota¬ 
tion  for  sending  a  message  in  protocol  description,  e.g.,  lA  — ►  B\ 


We  find  the  following  notation  useful  for  giving  a  uni¬ 
form  presentation  of  the  axioms.  K  is  the  complement 
of  key  K .  In  public  key  ciphering  schemes,  A'-1  is  the 
complement  of  K ,  and  K  is  the  complement  of  A'-1.  In 
shared  key  schemes  K  =  K.  Unless  restricted,  either 
explicitly  or  implicitly  by  context,  ‘K’  will  refer  below 
to  any  symmetric,  private,  or  public  key.  We  can  always 
treat  encryption  and  decryption  as  functions  parameter¬ 
ized  by  the  relevant  key.  Thus,  we  can  generalize  this 
notation  to  ‘A’,  expressing  the  complement  of  a  func¬ 
tion  A.  This  notation  assumes  that  we  are  referring 
to  an  effectively  one-one  function.  It  does  not  assume 
that  either  the  function  or  its  complement  (inverse)  is 
computable  in  practice.  Throughout  the  paper  ip  and 
ip  are  metalinguistic  symbols  used  to  refer  to  arbitrary 
formulae.  ,  is  a  metalinguistic  symbol  referring  to  sets 
of  formulae. 

1.2  The  Logic 

Our  logic  has  two  inference  rules: 

Modus  Ponens:  From  ip  and  ip  D  ip  infer  ip. 

Necessitation:  From  b  <p  infer  b  P  believes  <p. 

‘b’  is  a  metalingusitic  symbol.3  ‘,  b  p’  means  that  ip  is 
derivable  from  the  set  of  formulae  ,  (and  the  axioms), 
‘b  <,£>’  means  that  p  is  a  theorem,  i.e. ,  derivable  from 
axioms  alone.  We  describe  derivability  (i.e.  proofs)  be¬ 
low  in  §1.3.  Axioms  are  all  instances  of  tautologies  of 
classical  propositional  calculus,  and  all  instances  of  the 
following  axiom  schemata: 

Believing  For  any  principal  P  and  formulae  p  and  ip, 

1.  P  believes  p  A  P  believes  (p  D  ip)  D  P  believes  ip 

2.  P  believes  p  D  P  believes  ( P  believes  p) 

Axiom  1  says  that  a  principal  believes  all  that  logically 
follows  from  his  beliefs.  Axioms  2  says  in  effect  that  a 
principal  can  tell  what  he  believes. 

Source  Association  Keys  are  used  to  deduce  the  iden¬ 
tity  of  the  sender  of  a  message. 

3.  (A  ee  Q  A  R  received  {X^}k)  D  Q  said  X 

4.  (PKct(Q,  K)  A  R  received  {X}K-i )  D  Q  said  X 

Recall  that  ‘PKCT(Q,  K)’  says  that  K  is  the  public  sig¬ 
nature  verification  key  for  Q.  Precise  meaning  is  set 
out  in  §2.2.  By  definition,  all  symbols  in  the  axioms  are 
symbols  of  the  languages  specified  above,  Tr  and  Mt  ■ 
Thus,  in  particular,  the  X  in  these  axioms  is  a  message 

3  The  symbol  ‘h’  is  usually  pronounced  “turnstile”  .  The  symbol 
‘(=’,  to  be  introduced,  is  pronounced  “double  turnstile”. 


not  a  bitstring.  A  key  can  be  applied  (by  anyone  who 
has  it)  to  any  bitstring  to  yield  another  bitstring.  Since 
the  language  does  not  represent  arbitrary  bitstrings,  we 
avoid  attributing  to  principals  the  inappropriate  decryp¬ 
tion  of  any  such  bitstring. 

Key  Agreement  Session  keys  that  are  the  result  of 
good  key-agreement  keys  are  good. 

5.  ((PK«(A,  Kp)  A  (PK*(Q,  Kq))  DP^Q 

Here  I<pq  =  /(A^A”1)  =  f(Kq,  A"1)  where  /  is 
some  key-agreement  function  as  in  Difhe- Heilman  key 
exchange.  Recall  that  ‘PK^(A,  K)’  says  that  K  is  the 
public  key-agreement  key  for  R  and  implies  that  K~x 
remains  secret.  Precise  meaning  is  set  out  in  §2.2. 

Receiving  A  principal  receives  the  concatenates  of  re¬ 
ceived  messages  and  decryptions  with  available  keys. 

6.  P  received  (X\ ,  ,  Xn)  D  P  received  Ay 

7.  ( P  received  {X}k  A  P  has  K)  D  P  received  X 

Seeing  A  principal  sees  anything  he  receives.  A  prin¬ 
cipal  also  sees  all  components  of  every  message  he  sees 
and  any  message  he  can  compute  from  what  he  sees. 
The  difference  in  meaning  between  seeing  and  receiving 
is  made  precise  in  §2.2. 

8.  P  received  X  D  P  sees  X 

9.  P  sees  (X\ ,  ... ,  Xn)  D  P  sees  Ay 

10.  (A  -sees  X\  A  ...  A  P  -sees  Xn)  D 

(P  sees  F{Xu...,Xn)) 

Here  F  is  any  function  computable  in  practice  by  P. 
There  is  no  axiom  for  seeing  corresponding  to  ax¬ 
iom  7  for  receiving,  i.e.,  ( P  sees  {X}k  A  P  has  K)  D 
P  sees  X .  Such  an  axiom  is  a  special  case  of  axiom  10, 
where  F  is  the  application  of  K  to  {X}k,  and  axiom 
20  ( P  has  K  =  P  sees  K). 

Comprehending  If  a  principal  comprehends  a  mes¬ 
sage  and  sees  a  function  of  it  (of  the  appropriate  type), 
then  he  understands  that  this  is  what  he  is  seeing. 

11.  P  believes  ( P  sees  F(X))  D  P  believes  ( P  sees  X) 

12.  ( P  received  F(X)  A  P  believes  P  sees  X)  D 

P  believes  P  received  F(X) 

Here  F  is  any  effectively  one-one  function,  and  either 
A  or  A  is  computable  in  practice  by  A.  A  may  repre¬ 
sent  encryption  or  decryption  where  the  relevant  key  is 
treated  as  a  parameter.  The  meaning  of  these  axioms 


is  made  clear  by  the  truth  conditions  for  belief  set  out 
in  §2.2.  These  axioms  capture  what  we  want  of  GNY’s 
recognizability.  They  also  serve  as  a  replacement  for 
All  of  AT.  Abadi  and  Tuttle  have  noted  that  the  ax¬ 
iom  was  unsound  as  presented,  but  that  they  have  a 
revision  that  is  sound.4  Note  that  the  converse  of  ax¬ 
iom  11  is  a  theorem,  following  from  axiom  1  and  axiom 
10  by  necessitation  and  modus  ponens. 

Saying  A  principal  who  has  said  a  concatenated  mes¬ 
sage  has  also  said  and  sees  the  concatenates  of  that  mes¬ 
sage.  A  principal  who  has  recently  said  X  has  said  X. 
A  principal  sees  what  he  says. 

13.  P  said  (Xi ,  .  .  . ,  Xn)  D  ( P  satd  Xi  A  P  sees  Xi) 

14.  P  says  (Xi,  .  .  .,X„)  D 

(P  said  (Xi ,  .  .  . ,  Xn)  A  P  says  Xi) 

Jurisdiction  This  axiom  in  effect  says  that  P’s  word 
is  law  for  the  ip  in  question. 

15.  ( P  controls  ip  A  P  says  p)  D  <p 

Freshness  A  concatenated  message  is  fresh  if  one  of  its 
concatenates  is  fresh,  and  any  effectively  one-one  func¬ 
tion  F  (including  encryption  and  decryption)  of  a  fresh 
message  is  fresh. 

16.  fresh(Xi)  D  fresh(X i ,  .  .  . ,  Xn) 

17.  fresh(X1 ,  ,  Xn)  D  fresh(F(X1,  .  .  . ,  Xn)) 

Nonce- Verification  Freshness  promotes  a  message 
from  having  been  said  (sometime)  to  having  been  said 
during  the  current  epoch. 

18.  ( fresh(X )  A  P  said  X)  Z>  P  says  X 

Symmetric  goodness  of  shared  keys  A  shared  key 
is  good  for  P  and  Q  iff  it  is  is  good  for  Q  and  P. 

19.  P  £  Q  =  Q  £  P 

Having  A  principal  has  a  key  iff  he  sees  it. 

20.  P  has  K  =  P  sees  K 

1.3  Syntactic  Analysis 

In  this  section  we  give  a  brief  description  of  the  syn¬ 
tactic  protocol  analysis  technique,  which  is  similar  to 
the  techniques  given  in  [BAN89]  and  [AT91].  The  first 
step  of  this  technique  is  protocol  idealization.  Consider 
a  protocol  step  in  which  a  key  server  S  distributes  a 
key  to  principal  A  for  the  purpose  of  talking  with  B.  A 
typical  example  might  thus  be  written, 

4  Personal  communication. 


S  — >■  A:  {Ts,B,I<ab}Kas 

This  means  that  S  has  sent  the  following  to  A  (all  en¬ 
crypted  with  Kas,  a  key  shared  by  A  and  S):  a  time- 
stamp,  Ts,  B’s  name,  and  the  session  key  Kab.  In  our 
language  we  have  already  abstracted  away  from  bit- 
strings  sent  in  messages  to  the  elements  of  the  language 
that  those  bitstrings  represent.  But,  we  must  go  still 
further.  For,  even  if  we  represent  that  S  has  sent  Kab 
to  A,  we  have  not  reflected  that  by  this  transmission  S 
asserts  Kab  to  be  a  good  key  for  a  session  between  A 
and  B.5  This  is  done  via  protocol  idealization.6  The 
above  protocol  step  is  rewritten  in  the  idealized  form: 

S  — >■  A:  {Ts,B,A^AB}Kas 

Once  we  have  the  idealized  protocol,  we  write  down  cor¬ 
responding  formulae  in  the  logic  following  a  procedure 
called  ‘protocol  annotation’  in  [BAN89].  We  will  use  the 
formulae  generated  by  annotation  as  the  premise  set  in 
proofs  of  protocol  goals.  To  generate  this  set  we  first 
write  down  the  initial  assumptions.  These  are  things 
that  are  assumed  to  be  true  before  the  start  of  the  pro¬ 
tocol.  For  example,  A  Ua  S  and  A  believes  (A  Ua  S) 
would  probably  be  needed  as  initial  assumptions  in  or¬ 
der  to  determine  anything  useful  from  the  above  proto¬ 
col  step.  If  a  protocol  analysis  assumes  that  a  principal 
P  comprehends  a  message  X ,  we  require  that  this  com¬ 
prehension  be  explicitly  set  out  in  the  initial  assump¬ 
tions  by  P  believes  P  sees  X.  We  may  also  add  to  the 
premise  set  Q  received  X  for  any  step  in  the  protocol, 

P  - >■  Q  :  X.  Finally,  we  may  add  to  the  premise  set 

P  sees  X  for  any  protocol  step  in  which  P  generates  X . 
Typically,  this  X  will  be  a  nonce  or  a  key  or  some  such 
thing.  (For  example,  the  above  protocol  step  justifies 
adding  S  sees  Kab  to  the  premise  set.) 

With  the  premise  set  established  we  attempt  to  derive 
various  goals  concerning  the  protocol.  A  proof  is  a 
sequence  of  formulae  in  the  logic.  Each  line  is  either 
a  premise,  an  axiom,  or  derivable  from  preceding  lines 
via  modus  ponens  or  necessitation.  Our  notion  of  proof 
differs  from  Abadi  and  Tuttle’s  since  they  only  allow 
modus  ponens  to  apply  to  theorems  of  the  logic.  This 
would  preclude  premises  as  legitimate  lines  in  a  proof.7 
Of  course,  in  AT  and  SVO  necessitation  must  always 


5  It  is  merely  a  mnemonic  device  that  the  distributed  key  in 
this  case  is  usually  labelled  lKafy\ 

6  Unlike  in  [BAN89],  we  do  not  assume  that  cleartext  is  left 
out  of  the  idealized  protocol.  As  first  noted  in  [GKSG91],  such 
omission  can  sometimes  create  problems. 

7  Our  choice  to  characterize  proofs  in  this  way  has  important 
repercussions  for  other  features  of  the  logic.  In  [AT91]  it  was  nec¬ 
essary  for  analysis  to  restrict  consideration  to  “good”  runs  where, 
e.g.,  initially  held  beliefs  are  true,  where  negations  do  not  occur 
within  belief  operators  in  initially  held  beliefs,  etc.  We  need  place 
no  such  restrictions.  We  defer  discussion  because  of  space. 


be  restricted  to  theorems:  we  should  not  generally  in¬ 
fer  that  each  principal  believes  all  the  assumptions  con¬ 
tained  in  the  premise  set.  A  typical  goal  of,  e.g.,  a  key 
distribution  protocol  would  be  that  one  of  the  principals 
believe  that  the  distributed  key  is  good  for  communica¬ 
tion  with  the  other. 

Syntactic  analysis  of  the  type  just  described  is  all  that 
is  available  using  BAN,  GNY,  and  other  logics  without 
an  independent  semantics.  AT  and  SVO  add  another 
level  to  this  by  providing  an  independently  motivated 
model-theoretic  semantics.  In  addition  to  other  values, 
this  allows  one  to  do  semantic  analysis  of  the  protocol. 
One  advantage  of  this  is  a  rigorous  means  of  assessing 
the  truth  of  initial  assumptions.  Problems  arising  from 
initial  assumptions,  as  in  the  Nessett  protocol  [Nes90], 
are  thus  addressible  using  these  logics.  (Cf.  [Syv92]  for 
a  detailed  discussion.) 

2  Semantics 

2.1  Model  of  Computation 

Computation  is  performed  by  a  finite  set  of  principals, 
Pi,  .  .  . ,  Pn,  who  send  messages  to  one  another.  In  ad¬ 
dition  there  is  a  principal  Pe  representing  the  environ¬ 
ment.  This  allows  modelling  of  any  penetrator  actions 
as  well  as  reflecting  messages  in  transit. 

Each  principal  Pi  has  a  local  state  S{.  A  global  state 
is  thus  an  (n  +  l)-tuple  of  local  states.  Principals  can 
perform  three  actions:  sending  a  message,  receiving  a 
message,  and  generating  new  data,  such  as  keys.  These 
are  denoted  by  send(X,G),  receiveQ,  and  generate(X) 
respectively.  One  can  send  and  receive  any  message, 
but  one  can  only  generate  primitive  terms,  i.e. ,  mem¬ 
bers  of  To.  Other  than  generating  new  data,  internal 
computations  are  not  represented  as  actions.  They  are 
represented  implicitly.  Each  action  produces  a  transi¬ 
tion  from  one  state  to  the  next.  Note  that  receiving  is 
an  action,  performed  by  the  principal  Pi  who  receives 
a  message.  The  action  itself  is  viewed  as  the  nondeter- 
ministic  choice  of  some  message  from  P^s  buffer.  This 
is  why  it  is  listed  as  having  no  argument.  Once  per¬ 
formed,  however,  the  resulting  local  state  reflects  which 
message  was  received,  e.g.,  receive(X).  Sending  is  al¬ 
ways  directed  to  a  set  of  principals,  G.  If  only  one 
principal  is  the  intended  recipient,  G  is  a  singleton.  If 
a  message  is  indiscriminantly  broadcast,  G  is  the  set  of 
all  principals. 

A  run  is  an  infinite  sequence  of  global  states  indexed 
by  integral  times.  The  first  state  of  a  given  run  r  is 
assigned  a  time  tr  <  0.  The  initial  state  of  the  current 
authentication  is  at  t  =  0.  The  global  state  at  time  t  in 
run  r  is  r(t),  and  the  corresponding  projection  to  P^s 
local  state  is  r8(t).  We  may  also  write  r(t)  as  ‘(r,  t)’ . 
We  will  also  occasionally  refer  to  global  states  thus  rep¬ 
resented  as  points  or  (possible)  worlds.  (Cf.  §2.2  under 
Believing.) 


The  local  state  of  each  principal  includes  a  local  his¬ 
tory  of  all  the  actions  the  principal  has  performed  up  to 
that  point  and  a  set  of  available  transformations.  These 
are  the  computations  that  are  feasibly  computable  by 
that  principal.  They  include  encryptions  and  decryp¬ 
tions  with  available  keys  as  well  as  other  functions  the 
principal  may  perform,  e.g.,  hashes,  signatures,  arith¬ 
metical  functions,  etc.  The  environment’s  state  consists 
of  a  global  history,  a  set  of  transformations  available  to 
the  environment,  and  a  message  buffer  m;  for  messages 
sent  to  Pi  and  not  yet  received.  We  limit  the  set  of  runs 
to  those  where  a  given  message  can  only  be  received  af¬ 
ter  it  is  sent.  Thus,  if  receive(X)  is  in  the  local  history 
at  ri(t),  then  send(X,  G)  is  in  the  local  history  at  some 
rj(t'),  where  t'  <t. 

As  mentioned,  transformations  on  a  message  are  im¬ 
plicitly  made  when  that  message  is  sent  or  received. 
For  example,  if  a  principal  receives  an  encrypted  mes¬ 
sage  {X}k  and  he  has  K,  then  he  has  also  received  X. 
Specifically,  the  set  of  received  messages  for  a  principal 
Pi  at  a  point  (r,t)  contains  the  following:  (1)  all  mes¬ 
sages  X  such  that  receive(X)  appears  in  the  local  mes¬ 
sage  history  at  or  prior  to  t,  (2)  the  concatenates  of  any 
concatenated  received  message,  and  (3)  any  message  X 
for  which  {X}k  is  a  received  message  and  appropriate 
application  of  K  is  an  available  transformation  for  P{. 
Note  that  under  this  definition,  if  Pi  receives  an  en¬ 
crypted  message  and  later  acquires  the  decryption  key, 
the  decryption  is  a  received  message  at  that  later  point 
in  the  run. 

For  a  given  principal  Pi,  the  collection  of  all  messages 
that  are  received,  newly  generated,  or  initially  available 
to  Pi  implicitly  defines  a  set  of  seen  messages  for  him  at 
that  point.  This  consists  of  the  messages  just  mentioned 
plus  all  the  messages  he  can  recursively  produce  from 
those  messages  via  his  available  transformations  or  by 
creating  formulae  from  seen  messages.  (E.g.,  P  has  K, 
P  says  X,  etc.)  The  said  messages  are  somewhat  more 
restricted;  we  cannot  hold  a  principal  responsible  for 
saying  everything  that  is  derivable  by  him  from  things 
he  said.  Given  a  message  M  that  Pi  sends  at  (r,t),  we 
define  the  said  submessages  of  M  by  recursively  adding 
to  {M}  the  following:  (1)  the  concatenates  of  all  con¬ 
catenated  submessages  of  M ,  (2)  the  unencrypted  mes¬ 
sage  of  any  encrypted  submessage  of  M  for  which  Pi 
has  the  encryption  key  and  for  which  he  sees  the  unen¬ 
crypted  message,  (3)  the  unsigned  message  in  any  signed 
submessage  of  M  for  which  Pi  has  the  signature  key  and 
sees  the  unsigned  message,  and  (4)  the  unhashed  mes¬ 
sage  in  any  hashed  submessage  of  M  for  which  he  sees 
the  unhashed  message.  Implicit  in  saying  that  Pi  has 
the  key  or  hash  function  in  the  above  is  that  Pi  also 
possesses  an  algorithm  that  is  computable  in  practice 
by  him  and  that  produces  the  relevant  transformation. 
The  set  of  said  messages  for  Pi  at  (r,t)  is  the  union  of 
the  sets  of  said  submessages  of  all  messages  that  P  has 


sent  in  r  through  time  t.  We  further  restrict  our  model 
to  runs  where  principals  can  only  send  what  they  see. 
Thus,  if  send(X,  G)  is  in  the  local  history  at  r8(t),  then 
X  is  in  the  seen  messages  at  r8(t).  Relatedly,  the  set 
of  available  transformations  for  a  given  principal  in  a 
single  run  is  monotonically  nondecreasing  over  time. 

2.2  Truth  Conditions 

We  now  set  out  the  conditions  under  which  a  formula 
is  assigned  to  be  true.  We  begin  by  fixing  a  system, 
i.e.  a  set  of  runs,  1Z  and  an  interpretation  7r  that  maps 
each  proposition  constant  p£T  to  a  set  of  points  ir(p), 
intuitively,  those  points  at  which  p  is  true.  Truth  of 
a  formula  p  at  a  point  (r,  t),  written  ‘(r,  t)  |=  p\  is 
inductively  defined  below.  ‘|=  <£>’  means  that  p  is  valid 
(true  at  all  points). 

Primitive  Propositions  and  Logical  Connectives 

(r,t)  \=P  iff  (r,t)  e  7 r(p), 

( r,t )  |=  p  A  ip  iff  (r,  t  )  \=  p  and  (r,  t)  \=  ip 
( r,t )  N  iff  (r,t)  \£  <p8 

Receiving 

(r,  t)  |=  P  received,  X 

iff  X  is  in  the  set  of  received  messages  for  P  at  (r,  t),  as 
defined  in  §2.1. 

Seeing  and  Having 

(r,  t)  \=  P  sees  X 

iff  X  is  in  the  set  of  seen  messages  for  P  at  (r,  t),  as 
defined  in  §2.1.  Truth  conditions  for  PhasK  are  the 
same,  except  that  K  can  only  be  a  key. 

Saying 

(r,  t)  \=  P  said  X 

iff,  for  some  message  M ,  at  some  time  t'  <  t  in  r,  P  sent 
M  and  X  is  a  said  submessage  of  M  for  P  at  ( r,t '). 
This  gives  the  truth  conditions  for  P  having  said  X 
at  some  point  in  the  past.  We  also  characterize  what 
in  means  for  P  to  have  said  X  in  the  current  epoch 
(typically  taken  to  mean  since  the  initial  point  of  the 
current  protocol  run). 

(r,  t)  |=  P  says  X 

iff,  for  some  message  M ,  at  some  time  0  <  t'  <  t  in  r, 
P  sent  M  and  X  is  a  said  submessage  of  M  for  P  at 
(r,T). 

Jurisdiction 

(r,t)  |=  P  controls  <p 

iff  (r,t)  \=  P  says  p  implies  (r,  tr)  \=  <p  for  all  t'  >  0. 
Note  that  jurisdiction  constitutes  authority  at  all  points 
in  the  current  epoch,  not  just  at  the  time  P  says  ip. 
This  makes  it  a  very  strong  property.  Attributions  of 


jurisdiction  are  typically  part  of  initial  assumptions  and 
should  be  made  sparingly  and  judiciously. 

Freshness  A  message  is  fresh  if  it  has  not  been  part  of 
a  message  sent  prior  to  the  current  epoch.  It  is  sufficient 
but  not  necessary  for  freshness  that  a  message  be  unseen 
prior  to  the  current  epoch.  A  principal  might  generate 
a  message  earlier  and  not  send  it  until  the  epoch  begins. 
Truth  conditions  are  thus  in  terms  of  the  what  has  been 
said  rather  than  what  has  been  seen. 

(r,  t)  |=  fresh(X) 

iff,  for  all  principals  P  and  all  times  t'  <  0,  (r,  t')  \f^ 
P  said  X. 

Keys  We  will  give  truth  conditions  with  respect  to 
four  types  of  keys:  shared  keys,  public  ciphering  keys, 
public  signature  keys,  and  public  key-agreement  keys. 
Truth  conditions  for  a  shared  key  to  be  good  for  com¬ 
munication  between  P  and  Q  is  essentially  the  same  as 
in  [AT91]: 

(r,t)  ^P~Q 

iff,  for  all  k' ,  ( r,k ')  \=  R  said  {X}k  implies  either 
(r,  kr)  \=  R  received  {X}k  or  if  £  {P,  Q}. 

‘PK(T>,  Ky  means  both  that  K  is  the  public  key  as¬ 
sociated  with  principal  P  and  that  the  corresponding 
private  key,  A'-1,  is  good.  (We  refer  here  to  all  three 
types  of  public  keys.)  The  truth  conditions  below  are 
thus  for  both  good  public  key  binding  and  private  key 
secrecy.  We  will  also  use  ‘PK_1(A)’  not  to  express  any 
proposition,  but  simply  to  refer  to  P’s  private  key  in  the 
absence  of  a  specific  name.  We  similarly  use  ‘PK(P)’  to 
refer  to  P’s  public  key.  Signing  and  ciphering  (encryp¬ 
tion)  may  be  separated  in  the  case  of  public  keys.  Thus, 
the  two  sets  of  truth  conditions  for  these  two  types  of 
public  keys  separate  out  those  features  from  the  shared 
key  truth  conditions.  The  first  truth  conditions  for  pub¬ 
lic  keys  is  for  signature  keys. 

(r,  f)  N  PK<j(P,  K) 

iff,  and  all  t' ,  ( r,t ')  \=  Q  received  {X}K- 1  implies 
(r,  tr)  |=  P  said  X.  Next  we  give  truth  conditions  for 
public  ciphering  keys. 

(r,t)  \=PK^P,K) 

iff,  for  all  t' ,  ( r,t ')  |=  Q  sees  {X}k  implies  (r,  tr)  |= 
Q  sees  X  only  when  Q  =  P. 

Truth  conditions  for  key-agreement  keys  are  a  bit  more 
complicated: 


8‘(r,t)  means  it  is  not  the  case  that  (r,t)  |=  cp. 


(r,t)  \=PKe(P,K) 

iff  for  all  t' ,  (1)  for  some  Q,  Kpq  =  f(K~1,PKs(Q)) 
implies  (r,tr)  \=  P  Q;  and,  (2)  for  all  R,  Kpr  = 

f(K~1,PKs(R))  and  (r,tr)  P  R  implies,  for  all 
U,  I<ur  =  f(PKj\U),PKe(R))  implies 

(r,  tr)  IJ  R.  (Here  /  is  some  agreement  func¬ 
tion  such  as  that  in  DifEe-Hellman  key  agreement.  As 
with  other  encryption  algorithms/functions  in  protocol 
analysis,  we  assume  /  is  strong.  In  other  words,  attacks 
based  on  properties  of  the  function  not  specified  here 
are  deemed  beyond  the  scope  of  our  analysis.)  The  first 
clause  guarantees  that  there  is  someone  with  whom  P 
can  form  a  good  key.  The  second  clause  guarantees  that 
anyone  with  whom  P  cannot  form  a  good  key  cannot 
form  a  good  key  with  anybody.  The  truth  conditions  for 
PKj(P,  K)  may  seem  overly  complex.  But,  we  cannot 
simply  require  that  a  session  key  P  produces  via  agree¬ 
ment  with  any  Q  is  good.  This  is  because,  even  if  K 
were  still  secret,  any  given  Q’ s  private  key-agreement 
key  may  have  been  compromised,  compromising  Kpq. 
On  the  other  hand,  we  cannot  simply  require  that  if  P 
cannot  produce  a  good  session  key  by  agreement  with 
Q,  then  Q  has  a  bad  private  key-agreement  key.  That 
would  lead  us  into  a  circularity  in  determining  whether 
truth  conditions  are  satisfied.  The  above  characteriza¬ 
tion  achieves  what  is  needed  while  avoiding  circularity. 

Believing  Our  characterization  of  belief  is  based  on 
possible  worlds.  This  approach  to  characterizing  be¬ 
lief  was  first  given  by  Hintikka  in  [Hin62].  Since  the 
early  eighties  it  has  been  applied  to  distributed  com¬ 
puting  (one  example  of  such  application  being  that  in 
[AT91]).  The  idea  is  that  a  principal’s  beliefs  in  a  given 
state  are  determined  by  which  worlds  (global  states) 
are  considered  to  be  possibly  the  state  he  is  in.  From 
his  perspective  these  worlds  are  indiscernible  from  one 
another,  though  they  may  be  discernible  from  the  one 
he  is  in.  (This  is  because  he  may  be  mistaken  about 
which  state  he  is  in.)  For  each  principal  Pi  we  can  thus 
define  a  relation  ~8-  that  indicates  for  each  world  (r,  t) 
which  worlds  are  possible  in  this  manner  for  Pi.  Not 
surprisingly,  this  is  closely  tied  to  the  messsages  that 
are  comprehended  by  Pi  at  each  world,  those  that  he 
can  discriminate  to  be  what  they  are. 

The  messages  that  a  principal  can  comprehend  are  those 
that  he  can  ultimately  tie  back  to  cleartext  he  has  seen. 
The  local  state  for  a  principal  includes  a  set  of  seen  mes¬ 
sages;  however,  some  of  these  he  will  see  without  com¬ 
prehension.  For  example,  if  he  sees  a  hash  H(X)  but 
not  X ,  then  he  does  not  comprehend  what  he’s  seeing  to 
be  P[(X).  Similarly,  if  he  sees  {X}k,  but  does  not  have 
the  relevant  decryption  key,  then  he  does  not  compre¬ 
hend  what  he  is  seeing  even  if  X  is  available  plaintext. 
We  determine  the  set  of  comprehended  messages  for  a 
given  principal  Pi  at  a  given  point  (r,t)  as  follows. 


Of  the  seen  messages  for  Pi  at  (r,  t),  include  in  the  com¬ 
prehended  messages  all  primitive  terms  of  To  and  all 
proposition  constants,  also  any  formulae  of  the  form 

P  ee  Q,  PK(T,  K),  or  P  has  K .  The  result  is  the  basis 
for  the  set  of  comprehended  messages.  We  can  then  re¬ 
cursively  add  seen  messages  to  the  basis  set.  If  X  is  in 
the  comprehended  set  and  P  is  in  the  comprehended  set, 
then  any  of  the  following  are  added  (from  the  seen  mes¬ 
sages):  P  sees  X,  P  received  X,  P  says  X,  P  said  X, 
or  fresh(X).  Similarly,  if  P  and  a  formula  ip  are  in 
the  available  set,  then  P  believes  ip  and  P  controls  ip  are 
comprehended.  Any  seen  compound  formula  is  compre¬ 
hended  if  its  subformulae  are  comprehended.  We  in¬ 
troduce  new  notation  for  concatenated  formulae  where 
some,  but  not  all,  of  the  concatenates  are  compre¬ 
hended.  If  (Xi,  .  .  . ,  Xn)  is  a  seen  message,  then  the 
result  of  replacing  any  Xi  with  *  so  that  only  com¬ 
prehended  messages  and  *s  appear  in  the  concatenated 
message  is  comprehended.  Finally,  if  (1)  F  is  any  effec¬ 
tively  one-one  function,  and  either  F  or  F  is  computable 
in  practice  by  P ,  (2)  X  is  comprehended,  and  (3)  F(X) 
is  a  seen  message,  then  F(X)  is  comprehended. 

Define  comprehension(P,  (r,t),  (r' ,t'))  to  be  the  set  of 
messages  that  results  from  the  applying  the  avail¬ 
able  transformations  for  P  in  (r,  t)  to  the  seen  mes¬ 
sages  for  P  in  (r1  ,tr)  according  to  the  procedure  just 
given  for  producing  the  set  of  comprehended  messages 
for  P  (at  a  single  world).  Thus  the  comprehended 
messages  for  P  at  (r,  t)  are  exactly  the  members  of 
comprehension(P,(r,i),(r,i)).  The  possibility  relation 
for  a  principal  Pi  in  state  (r,  t)  is  defined  by 

(r,t)  (r',T) 

iff,  local  histories  in  r;(t)  and  r((f')  are  the  same  and 
comprehension(P,  (r,  t),  (r,  t))  = 
comprehension(P,  (r,  t),  (r1,  t'))  C 

comprehenston(P,  (r1  ,t'),  (r1  ,t')).9  The  second  clause 
implies  that  a  principal  should  consider  possible  those 
worlds  that  look  the  same  and  where  his  discernment 
capabilities  are  at  least  as  great  as  they  actually  are. 
This  does  not  mean  that  he  can  tell  what  any  further 
capabilities  would  be. 

We  can  now  give  truth  conditions  for  belief  formulae: 
(r,t)  |=  Pi  believes  ip 

iff  (r',T)  |=  ip  for  all  (r',T)  such  that  (r,t)  (r',T). 

This  completes  the  conditions  necessary  to  assign  truth 
values  to  all  formulae  in  the  logic. 

9  Those  who  may  have  been  wondering  why  SVO  has  no  nega¬ 
tive  introspection  axiom  (axiom  A3  in  AT)  should  note  that  this 
relation  is  not  euclidean.  (Nor  do  we  wish  it  to  be.) 


2.3  Soundness 

Theorem  2.1  If  ,  I ~  <p,  then  ,  |=  <p.  (For  a  set  of 

formulae  ,  and  a  formula  ip,  if  p  is  derivable  from  ,  , 
then  ip  is  true  at  any  world  making  all  of  ,  true.) 

Proof:  (Sketch)  This  is  a  typical  tedious  soundness 
proof:  show  that  the  axioms  are  valid  (true  at  all  worlds) 
and  that  derivation  preserves  truth.  Proof  of  validity  for 
all  axioms  is  direct  by  inspection  of  the  truth  conditions 
given  in  §2.2.  As  space  is  limited,  we  prove  only  validity 
of  axiom  4  as  an  example. 

(PKct(Q,  K)  A  R  received,  {Y}^-i )  3  Q  said  X 

This  is  a  conditional,  hence  true  at  a  point  (r,t)  if 
(r,t)  (PKct(Q,  K)  A  R  received  {X}k- i)  or  (r,t)  \= 
Q  said  X.  If  the  antecedent  is  false  at  (r,t)  then,  the 
conditional  is  true.  If  the  antecedent  is  true  at  (r,t), 
then  both  of  its  conjuncts  are  true  there.  But,  (r,t)  \= 
(PKct(Q,  K)  implies  that  if  (r,t)  \=  R  received  {X}x-i, 
then  (r,t)  \=  Q  said  X.  So  axiom  4  is  true  at  all  worlds 
(r,t). 

All  that  remains  to  be  shown  for  soundness  is  that  all 
the  ways  that  ip  can  be  derived  from  ,  preserve  truth. 
There  are  three  cases.  (1)  If  <p  is  a  theorem  or  member 
of  ,  ,  then  ,  |=  ip  trivially.  (2)  If  <p  is  obtained  by  modus 
ponens,  then  it  occurs  in  a  derivation  from  ,  in  which 
some  ip  and  ip  3  ip  occur  earlier.  Then  by  induction  on 
the  structure  of  the  derivation  and  definition  of  truth 
conditions,  ,  |=  ip.  (3)  Also  by  a  trivial  induction,  if 
ip  is  obtained  by  necessitation,  then  p  is  P  believes  ip 
for  some  P  and  some  ip  such  that  b  ip.  By  inductive 
hypothesis,  |=  ip.  So,  by  the  truth  conditions  for  belief, 
|=  P  believes  ip.  Thus,  a  fortiori,  ,  |=  P  believes  ip.  □ 

3  Relation  to  GNY  extensions 

In  [GNY90],  Gong,  Needham,  and  Yahalom  presented 
GNY.  This  logic  is  noteworthy  for  making  one  of  the 
largest  additions  to  both  the  notation  and  logical  rules 
of  BAN.  It  is  therefore  interesting  to  see  how  much  of 
it  is  easily  accomodated  in  SVO. 

3.1  GNY  Notational  Additions 

P  <  X:  P  is  told  X.  This  is  expressed  in  our  syntax  as 
‘ P  received  X\ 

P  3  X:  P  possesses,  or  is  capable  of  possessing  X.  This 
is  expressed  in  our  syntax  as  lP  sees  X\ 

P  |~  X:  P  once  conveyed  X.  This  is  expressed  in  SVO 
as  lP  said  X\ 

jp(X):  X  is  fresh.  This  is  expressed  in  SVO  as 
1  fresh(Xy . 

<p( X):  Recognizability  of  X.  In  GNY  rules  this  only 
occurs  in  the  context  of  someone’s  belief.  This  is  con¬ 
sistent  with  the  reasonable  requirement  that  recogniz¬ 
ability  be  tied  to  an  individual,  rather  than  considering 


what  is  recognizable  to  everyone.  We  will  express  this 
relativization  in  SVO  by  translating  expressions  of  the 
form  P  ^  4>{X)  in  GNY  as  P  believes  P  sees  X . 

P  <  *X:  P  is  told  a  formula  that  he  did  not  convey 
previously  in  the  current  run.  This  is  captured  in  SVO 
as  C(P  received  X)  A  -i(P  says  X)\  Note  that  the  SVO 
expression  is  actually  broader  than  the  GNY  expression. 
It  says  that  P  did  not  say  X  since  the  start  of  the  current 
run,  whether  within  the  run  or  not. 

X  C:  These  are  called  message  extensions.  They  are 
used  in  conveyed  messages  to  indicate  conditionality  of 
an  assertion.  They  are  only  used  logically  in  connection 
with  GNY  J 2 ,  one  of  the  jursdiction  rules.  We  defer 
comment  to  the  section  below  where  we  discuss  this  rule. 

It  is  interesting  that  we  were  unable  to  give  translations 
for  some  of  the  GNY  formulae  without  referring  to  the 
corresponding  logical  rules.  This  is  because,  beyond  a 
minimal  intuitive  explanation,  any  technical  meaning 
that  GNY  expressions  hold  is  tied  up  with  the  logic. 

3.2  GNY  Logical  Rules 

We  will  look  at  these  rules  with  the  following  question 
in  mind.  Once  we  have  made  an  appropriate  trans¬ 
lation  to  SVO  syntax,  is  there  a  logical  derivation  (in 
SVO)  of  the  conclusion  of  a  rule  from  its  premises?  If 
so,  then  the  rule  expresses  a  result  that  is  syntactically 
captured  in  SVO.  (Hence,  we  know  that  it  is  also  seman¬ 
tically  captured  by  our  model  of  computation  because  of 
soundness.)  When  we  say  that  a  GNY  rule  is  derivable 
in  SVO  below  we  mean  that  the  answer  to  the  question 
just  asked  is  yes. 

GNY  Rationality  Rule 

This  rule  says  that  whenever  we  can  infer  C 2  from  C'1, 
we  can  also  infer  P  ^  C2  from  P  ^  Cl.  It  falls  out  of 
the  modus  ponens  rule  and  axiom  1. 

GNY  Being  Told  and  Possession  Rules 

All  of  these  rules  are  obviously  derivable  in  SVO  except 
T5.  T5  says  that  P  <  Y  follows  from  P  <  F(X,  Y )  and 
P  3  X .  F  is  taken  to  be  a  many-to-one  computationally 
feasible  function  that  is  one-to-one  computationally  fea¬ 
sible  if  either  X  or  Y  is  held  constant,  as  is  its  inverse. 
([GNY90],  p.  235.)  It  is  difficult  to  assess  such  a  rule 
in  general,  but  Gong  et  al.  do  provide  one  example  of 
the  type  of  function  they  have  in  mind,  viz:  exclusive- 
or.  Our  discussion  of  T5  thus  follows  their  example. 
If  we  view  exclusive-or  as  encryption,  then  T5  can  be 
viewed  as  a  general  statement  of  T3,  which  says  that 
P <Y  follows  from  P<{Y}x  and  P  3  X.  However,  care 
must  be  taken  in  such  cases  because,  when  exclusive-or 
is  used  for  encryption,  {X }y  =  {Y}x-  Strictly  speak¬ 
ing,  in  our  language  this  is  only  true  when  both  X  and 
Y  are  keys  since  {X }y  is  only  well-formed  when  Y  is  a 
key.  Nonetheless,  according  to  T5  in  GNY,  if  P  receives 
X  ®  Y  and  P  possesses  both  X  and  Y ,  then,  P  has  been 
told  X  and  been  told  Y .  There  may  be  applications  for 


which  this  is  a  reasonable  inference,  but  the  example 
shows  why  we  might  not  want  to  have  T5  as  a  logical 
rule.  Often,  if  not  virtually  always,  we  would  like  to 
distinguish  a  message  sent  from  attendant  parameters, 
such  as  keys  used  to  encrypt  the  message.  However,  T5 
obliterates  this  distinction  by  treating  the  arguments 
of  F  symmetrically.  Furthermore,  such  symmetry  can 
serve  as  the  basis  of  attacks  that  allow  a  penetrator  to 
deduce  keys  from  chosen,  known,  or  guessed  plaintext — 
for  example,  the  Simmons  attack  on  the  TMN  protocol 
discussed  in  [TMN90].  This  example  does  not  serve  as 
a  similar  basis  for  criticism  of  T3.  The  symmetry  in  the 
encryption  algorithm  subjects  it  to  direct  attack.  This 
violates  the  general  assumption  of  all  logics  discussed 
herein  that  encryptions  are  not  breakable  by  direct  at¬ 
tack  (to  reveal  either  the  plaintext  or  the  key). 

GNY  Freshness  Rules 

All  of  these  rules  are  derivable  in  SVO  except  F5  and 
F6.  F5  says  that  a  principal’s  belief  in  the  freshness  of 
a  private  key  follows  from  his  belief  in  the  freshness  of 
its  public  cognate.  F6  expresses  the  converse  inference. 
There  is  no  reason  in  practice  to  question  these  rules; 
however,  there  is  also  no  harm  in  practice  in  leaving 
them  out  since  public  keys  are  usually  long  term  and 
not  distributed  on  line.  They  thus  do  not  generally  play 
a  role  in  freshness  considerations.  Fll  is  only  derivable 
in  SVO  assuming  R6,  which  will  be  discussed  shortly. 

GNY  Recognizability  Rules 

All  of  these  rules  are  derivable  in  SVO  except  R6.  This 
rule  says  that  P  ^  c)>(X)  follows  from  P  3  H(X).  But, 
from  the  mere  possession  of  H(X),  P  should  not  form 
any  beliefs  about  A;  without  X,  he  may  not  know  that 
he  is  seeing  H(X)  rather  than  some  other  message  or 
even  just  a  random  bitstring.  R6  as  given  in  GNY  is 
thus  too  strong.  If  we  replace  the  statement  that  P 
believes  X  is  recognizable  with  a  claim  that  X  is  rec¬ 
ognizable  by  P  we  get  a  more  reasonable  conclusion. 
However,  we  have  no  formal  means  to  represent  this  in 
either  SVO  or  GNY.  SVO  does  not  have  the  expressive 
capability  to  indicate  that  a  principal  recognizes  a  given 
bitstring  as  the  same  one  that  yielded  the  hash  he  re¬ 
ceived  in  a  previous  message.  But,  this  is  not  a  very 
serious  limitation.  Generally  we  would  like  to  have  such 
recognition  only  when  the  bitstring  has  some  meaning 
to  the  recipient,  i.e.,  corresponds  to  an  element  of  the 
language  that  he  comprehends.  This  type  of  recognition 
is  captured  in  SVO  via  axiom  12. 

GNY  Message  Interpretation  Rules 

We  do  not  attempt  to  handle  all  of  these,  on  general 
grounds  of  logical  unwieldiness  and  inelegance.  We 
make  an  admittedly  arbitrary  division  by  addressing 
only  those  rules  containing  less  than  five  premises.  Once 
appropriate  translations  have  been  made,  these  are 
derivable  in  SVO  except  for  the  second  conclusion  of  14: 
P  ^  Q  |~  {X}-k-  We  saw  no  practical  value  of  such 
a  conclusion.  Should  this  be  incorrect,  Q  said  {X}K-i 


can  be  added  to  the  consequent  of  axiom  4.  (Similar 
addition  can  be  made  to  axiom  3.)  This  logic  remains 
sound  with  respect  to  the  semantics  given  in  §2. 

GNY  Jurisdiction  Rules 

Like  AT,  SVO  separates  belief  from  everything  else,  in¬ 
cluding  trust.  This  is  useful  (and  perhaps  the  only  way 
one  is  likely  to  maintain  a  model-theoretic  semantics). 
The  only  jurisdiction  rule  (actually  axiom)  in  SVO  is 
the  same  as  in  AT,  viz:  P  controls  ip  A  P  says  ip  3  <p. 

GNY  J 1  is  taken  directly  from  BAN’s  jurisdiction  rule. 
BAN  also  has  only  one  rule  in  this  category.  Nonethe¬ 
less,  BAN’s  rule  is  not  derivable  from  the  above  nor 
valid  in  the  semantics.  This  is  no  great  loss  since  the 
only  iterated  beliefs  we  generally  care  about  are  derived 
from  things  that  one  principal  says  to  another.  In  other 
words,  the  above  axiom  captures  what  we  need  from 
Jl.  BAN  and  GNY  must  express  jurisdiction  in  terms 
of  belief  since  that  is  their  only  way  to  capture  a  prin¬ 
cipal’s  actions  in  the  current  epoch.  A  more  detailed 
discussion  of  this  is  given  in  [AT91],  §3.2. 

As  Gong  et  al.  say  (p.  240)  that  J3  is  just  a  special  case 
of  J 2 ,  we  focus  on  J2. 

(From  P  Q  |=>  Q  |=  *,  P  |=  Q  |~  (X  C),  and 
P  ^  #X,  infer  P  ^  Q  ^  C' .)  This  rule  introduces  new 
notation  not  discussed  elsewhere.  lP  ^  Q  |=>-  Q  ^  *’ 
captures  the  idea  that  P  believes  Q  to  be  honest  ( Q  only 
says  what  he  believes)  and  competent  ( Q  understands 
the  implications  of  what  he  says).  This  can  be  trans¬ 
lated  directly  to  the  following  SVO  syntax  expression: 
P  believes  (((Q  says  X)  A  ( X  3  C))  3  ( Q  believes  Cj). 
The  second  premise  of  the  rule  can  also  be  translated  di¬ 
rectly  to  SVO:  P  believes  ((Q  said  X)/\(X  3  C)).  And, 
the  third  premise  is  the  same  in  GNY  and  SVO,  except 
for  an  irrelevant  notational  difference.  Similarly,  the 
conclusion  of  the  rule  is  the  same  in  GNY  and  SVO.  So, 
the  rule  is  entirely  expressible  within  the  SVO  syntax. 
Furthermore,  it  is  not  only  sound  but  an  easy  logical 
derivation  in  SVO. 

4  Relation  to  VO  extensions 

The  first  paper  to  introduce  the  capability  to  reason 
about  key  agreement,  e.g.,  Difhe-Hellman  exchanges,  to 
a  BAN-like  logic  is  [v093].  Some  of  the  notation  and 
rules  intoduced  therein  arise  naturally  in  such  protocols, 
but  they  are  also  applicable  to  shared  and  private  key 
protocols  as  discussed  in  the  above  papers. 

4.1  VO  Notational  Additions  and  Logical 
Rules 

A  B:  I<  is  A’s  unconfirmed  secret  suitable  for 

B.  No  one  aside  from  A  and  B  and  those  they  trust 
knows  or  could  deduce  K.  This  construct  emphasizes, 
however,  that  while  A  knows  K,  B  may  or  may  not. 
This  notation  arises  quite  naturally  when  looking  at 
key  agreement  protocols,  such  as  Difhe-Hellman  type 


key  distributions,  and  is  actually  easy  to  capture  in  our 

semantics.  Since  ‘A  B’  simply  means  that  K  is  a 
good  key  for  A  and  B  regardless  of  whether  either  of 

them  knows  this,  we  can  actually  define  A  B  in 

the  SVO  syntax:  (A  •£+  B)  A  (A  has  K). 

A  B:  I<  is  A’s  confirmed  secret  sutiable  for  B.  A 
knows  K ,  and  has  received  evidence  confirming  that  B 
knows  K.  No  parties  other  than  A  and  B  and  those 
they  trust  know  or  can  feasibly  deduce  K.  This  is  a 
little  trickier  to  capture  in  our  semantics.  For  we  must 
decide  what  it  means  for  a  A  to  receive  confirmation 
that  B  knows  K.  Let  us  consider  a  typical  example  of 
such  confirmation  in  a  protocol.  Suppose  B  has  just 
received  the  session  key  K  and  wants  to  confirm  this 
to  A.  If  she  has  sent  him  a  nonce  Na  earlier  in  the 
protocol  run,  a  typical  way  for  B  to  send  confirmation 
is  by  encrypting  Na  (or  perhaps  Na  —  1)  with  K  and 
his  own  name  and  sending  this  to  A.  VO  reasons  about 
the  key  confirmation  B  sends  to  A  in  this  example  by 
introducing  confirmation  axioms,  which  we  will  discuss 
below  when  we  come  to  the  confirm(K)  notation. 

How  would  this  key  confirmation  be  handled  using  ex¬ 
isting  constructs  in  SVO?  Consider  an  SVO  analysis 
of  a  key  distribution  protocol  where  the  above  con¬ 
firmation  occurs.  The  standard  practice  in  [BAN89] 
would  be  to  idealize  this  in  the  protocol  analysis  by 

B  sending  to  A  {Va,(A  B),B}k •  In  other  words, 
the  protocol  idealization  of  B’ s  sending  such  a  mes¬ 
sage  incorporates  B  saying  that  K  is  a  good  key  for 

A  and  himself.  But,  notation  of  the  form  A  B  is 
BAN’s  only  way  to  express  statements  about  a  key. 
Using  SVO  notation  we  can  make  the  more  accurate 
idealization  of  this  message  as  {Na,(B  has  K),B}k- 
Following  this  idealization  procedure,  we  could  ideal¬ 
ize  A’s  receipt  of  the  message  we  have  been  discussing 
as  ‘A  received  {(N a,  (B  has  A'),5}x’-  Given  that  A 
has  the  necessary  beliefs  about  the  freshness  of  Na 
and  the  (unconfirmed)  goodness  of  K  we  can  derive 
the  conclusion  of  the  VO  key  confirmation  rule  (R32) 

within  SVO.  Thus,  if  we  translate  the  syntax  A  B 

as  A  believes  ((A  >  B)  A  (IJ  says  IJ  has  K)),  where 

IJ  fiz  A.10  Reasoning  about  key  confirmation  can  be 
captured  entirely  within  SVO.  (Translating  this  fully 

back  to  the  SVO  syntax  we  get  A  believes  ((A  «  B  A 
A  has  K)  A  (U  says  (U  has  A'))),  where  U  A.) 

The  technique  of  the  last  paragraph  allows  us  to  cap¬ 
ture  key  confirmation  entirely  without  adding  explicit 
confirmation  syntax  to  SVO.  However,  there  is  a  hid¬ 
den  informal  assumption  in  such  an  approach.  We  can 
only  use  it  if  we  systematically  employ  metarules  for 

10For  reasons  that  will  soon  become  apparent,  we  will  give  a 
revised  definition  of  lA  <  B ’  below. 


idealization.  Instead  of  explicitly  using  VO  confirma¬ 
tion  axioms  we  must,  in  effect,  always  employ  those  ax¬ 
ioms  in  protocol  idealization.  But,  if  we  add  the  VO 
notation  and  rules,  the  idealization  of  the  confirmation 
message  is  the  same  as  its  representation  in  the  concrete 
protocol.  (In  other  words  {Na}x  is  idealized  simply  as 
{N0}k-)  We  thus  have  a  choice.  On  the  one  hand  is  a 
more  streamlined  logic  and  semantics  accompanied  by 
a  more  complex  analysis  procedure,  while  on  the  other 
is  a  more  complex  logic  and  semantics  accompanied  by 
a  more  straightforward  analysis  procedure.  By  far  the 
greatest  source  of  confusion  and  misapplication  of  BAN 
to  date  has  come  from  slipping  dubious  assumptions  in 
(or  leaving  necessary  assumptions  out)  during  proto¬ 
col  idealization.  The  more  formally  explicit  approach  is 
thus  safer,  but  either  can  be  rigorously  followed  to  the 
same  practical  effect.  In  the  next  paragraph  we  will  dis¬ 
cuss  a  proposal  that  combines  the  advantages  of  explicit 
axioms,  clearer  idealization,  and  a  simpler  logic. 

confirm(K):  Current  knowledge  of  K  has  been  demon¬ 
strated.  We  have  been  discussing  the  relative  merits  of 
capturing  key  confirmation  via  axioms  and  via  direct 
translation  to  the  syntax  of  SVO.  If  we  choose  to  follow 
the  latter  route,  then  ‘ confirm^K)’  becomes  irrelevant 
notation.  The  axioms  make  use  of  recognizability  in 
the  sense  of  GNY.  Thus,  if  we  wish  to  follow  the  former 
route,  we  will  have  to  relativize  ‘  confirm^K)’  in  just  the 
way  that  we  relativized  ‘<f>(Xy  in  §3.1.  For  convenience 
in  the  following  discussion  we  introduce  the  syntactic 
shorthand  <f>p(X)  =  P  believes  P  sees  X.  The  rela- 
tivization  is  thus  trivial  notationally.  For  example,  VO 
axiom  C3  becomes 

fresh(K)  A  <f>p(H(K))  D  confirm  P(K ) 

We  could  use  this  to  try  to  treat  confirm  P(K )  as  a  de¬ 
fined  term  following  the  axioms.  But  this  raises  some 
problems.  Suppose  we  introduce  the  following  definition 
(which  encompasses  Cl,  C2,  and  C3): 

(fresh(X)  A  fp({X}K))V 
confirm  P(K)  =  (fresh(X)  A  <j>p(MACif(X))V 

(fresh(K)  A  <j>P(H(K))) 

If  we  were  then  to  try  to  apply  this  in  VO  rule  R32,  we 
would  need  to  verify  that 

A  received  *  confirm  A(K).  Unpacking  the  syntactic  def¬ 
inition  this  would  mean  that  A  received  *  ((fresh(X)  A 
<fp({X}  k))  V  (fresh(X)  A  <j>p(MACif(X))  V  ( fresh(K )  A 
<f>p(H(K)))).  But,  since  receiving  does  not  distribute 
across  disjunctions,  this  would  never  actually  be  satis¬ 
fied.  Actually  this  problem  exists  for  R32  even  before 
we  attempt  to  give  a  definition:  it  is  clear  that  in  the 
condition  A  received  *  confirm A(K),  A  is  not  meant  to 
see  a  statement  regarding  freshness.  Rather  she  is  sup¬ 
posed  to  see  a  statement  that  contains  a  fresh  compo¬ 
nent.  In  addition  there  is  the  open  endedness  of  the 


axiom  list.  These  axioms  were  meant  to  capture  three 
common  ways  of  establishing  key  confirmation  in  prac¬ 
tice,  but  others  are  possible.  A  fourth  would  simply 
involve  sending  the  key  K  itself  in  a  message;  the  mes¬ 
sage  would  have  to  be  fresh  somehow  itself  if  the  key  K 
was  not  known  to  be  fresh.  (Note  that  in  Difhe-Hellman 
key  agreement,  it  is.)  So,  another  axiom  would  be 

C4.  (f)p(K)  A  fresh(K)  D  confirm P(K ) 

These  and  similar  possibilities  can  all  be  represented  in 
SVO  by  a  single  syntactic  definition: 

confirmP(K )  =  ((P  received  F(X,  K)  A<f>p(F(X,  Kj)A 
(fresh(X)  V  fresh(K))) 

Here  F  is  a  feasibly  computable  function,  that  is  ef¬ 
fectively  one-one.  This  means  it  is  infeasible  to  find 
any  two  pairs  (X,K)  mapping  to  the  same  value.  F 
is  required  to  be  one-way  (in  the  sense  that  encryp¬ 
tions,  MACs,  and  cryptographic  hash  functions  would 
be)  if  and  only  if  it  is  important  that  K  not  be  re¬ 
vealed  by  the  confirmation  process  itself.11  This  also 
allows  a  more  general  definition  of  (data)  confirmation 
(rather  than  key  confirmation).  Restricting  confirma¬ 
tion  to  keys  seems  unnecessary,  and  it  should  not  be  a 
general  constraint  that  data  are  not  revealed  through 
the  confirmation  process.  Ways  of  confirming  knowl¬ 
edge  of  information  without  revealing  the  information 
itself  is  the  subject  of  a  large  area  of  research,  namely 
zero-knowledge;  this  subject  is  beyond  the  scope  of  the 
present  work.  Note  X  can  be  null,  and  F  could  be 
the  identity  function,  as  in  C4,  the  above  axiom.  We 
have  incorporated  ‘ P  received  F(X,  Kfi  into  the  defini¬ 
tion  because  confirmation  is  only  relevant  if  someone 
receives  it.  Bringing  this  into  the  axiom  itself  avoids 
the  problem  of  distributing  received  raised  above.  We 
can  provide  a  similar  definition  to  indicate  that  P  has 
received  confirmation  from  someone  other  than  herself: 

*confirmP(K )  = 

(P  received  F(X,  K ))  A  -i(P  said  F(X,  K))A 

<f)P(F(X,  K ))  A  (fresh(X)  V  fresh(K)) 

The  definition  just  introduced  has  a  number  of  advan¬ 
tages.  It  makes  confirmation  criteria  explicit  but  con¬ 
stitutes  no  addition  to  SVO  since  it  is  eliminable,  i.e. , 
it  can  always  be  replaced  by  the  longer  expression  that 
is  purely  in  the  language  of  SVO.  As  just  indicated,  its 
application  goes  beyond  the  current  context.  It  still  re¬ 
quires  that  informal  work  be  done,  but  the  idealization 
of  the  protocol  is  as  direct  as  it  would  be  were  we  to  use 
the  axioms  from  [v093].  (As  in  our  example  of  return¬ 
ing  an  encrypted  nonce  above,  {Na}x  is  still  idealized 

11  In  confirming  knowledge  of  A  ,  the  intention  is  that  the  key  K 
itself  is  not  revealed.  However,  in  terms  of  formal  definition,  this 
is  irrelevant — what  is  of  import  is  confirmation  only.  If  a  key  K 
is  somehow  compromised,  whether  in  relation  to  key  confirmation 
or  otherwise,  this  may  violate  an  assumption  about  key  quality, 
but  that  should  be  treated  distinctly  from  key  confirmation. 


as  {Va}if-)  The  informal  step  is  in  determining  whether 
or  not  this  constitutes  a  function  and  functional  argu¬ 
ments  as  stipulated  in  the  axiom.  But,  this  question 
is  not  subject  to  the  same  difficulties  as  when  requiring 
confirmation  judgements  in  protocol  idealization.  There 
we  are  required  to  determine  the  intended  meaning  of  a 
message  (fragment).  Here  we  need  only  make  a  determi¬ 
nation  based  on  mathematically  rigorous  criteria — up  to 
the  limits  of  the  usual  cryptographic  assumptions  made 
in  protocol  analysis. 

Given  the  considerations  of  the  last  several  paragraphs, 
we  revise  our  definition  of  ‘A  B\ 

A  B  =  ((A  believes  A  B)  A  *confirmA(K)) 

We  now  turn  to  notation  for  reasoning  about  public 
and  private  keys.  The  BAN  notation  to  represent  that 

K  is  A’ s  public  key  is  A’.  It  is  simply  assumed 
in  BAN  that  the  corresponding  private  key  is  kept  se¬ 
cret.  Notation  for  the  private  key,  ‘A'-1’,  is  only  used 
to  indicate  encryption  using  the  key,  e.g.,  {A}^-i.  A’ s 
posession  of  A'-1  is  meant  to  be  implicitly  inferred  from 

A  believes  A.  GNY  introduce  syntax  for  explicitly 
representing  and  reasoning  about  possession  of  private 
keys.  Nonetheless,  goodness  of  a  private  key  is  still 
meant  to  be  inferred  from  a  statement  about  the  public 

key  as  in  BAN,  i.e.,  from  A.  In  [GS91],  Gaarder  and 
Snekkenes  separate  statements  representing  that  A  has 
associated  a  good  public  key  K,  viz:  PK(A,A'),  from 
those  representing  that  A  has  associated  some  good  pri¬ 
vate  key,  viz:  n(A).  Thus  the  judgement  about  the 
quality  of  the  private  key  is  now  associated  with  a  state¬ 
ment  about  the  private  key,  rather  than  being  implied 
by  a  statement  about  the  public  key.  In  effect,  this  sep¬ 
arates  statements  about  the  binding  of  a  public  key  to 
a  principal  from  statements  about  the  quality  of  a  prin¬ 
cipal’s  private  key.  Gaarder  and  Snekkenes  separated 
these  to  reason  about  certificates  binding  a  principal 
to  a  public  key  in  the  X.509  protocol  separately  from 
evaluating  trust  that  the  corresponding  private  key  is 
kept  secret.  VO  follows  the  developments  of  Gaarder 
and  Snekkenes  and  also  introduces  distinct  notation  for 
public  keys  for  signing,  enciphering,  and  key  agreement. 

PK<j(A,A'):  K  is  the  public  signature  verification  key 
associated  with  principal  A. 

PK~1(A):  A’ s  private  signature  key  A'-1  is  good.  Here 
A'-1  corresponds  to  the  public  key  K  in  PKCT(A,  A').12 

Analogous  definitions  are  made  for  enciphering 
(PK^(A,  A'),  PK^1(A))  and  key  agreement 

12We  are  following  convention  here  by  using  iK~ 1  ’  to  refer  to 
a  private  signature  key.  Some  schemes  such  as  RSA  can  be  used 
for  both  enciphering  and  signatures  because  of  invertibility.  This 
makes  the  notational  choice  quite  natural.  However,  some  signa¬ 
ture  schemes  are  not  invertible,  and  for  those  schemes  the  notation 
is  slightly  deceptive. 


(PKi(A,  AT),  PK^"1(j4)).  Unfortunately  in  the  seman¬ 
tics  of  §2  we  were  unable  to  give  truth  conditions  for 
all  of  these  individually.  We  have  reverted  to  grouping 
the  binding  of  a  public  key  together  with  the  quality 
(secrecy)  of  the  private  key.  We  thus  use  ‘PK(A,  K)’  to 
mean  both  that  K  is  the  public  key  associated  with  prin¬ 
cipal  A  and  that  the  corresponding  private  key,  A'-1, 
is  good.  If  this  is  a  loss,  it  is  logically  speaking  a  mi¬ 
nor  one.  There  are  good  reasons  for  separating  the  two 
notions.  For,  there  are  two  distinct  kinds  of  protocol 
failures  here.  On  the  one  hand,  the  secrecy  of  a  pri¬ 
vate  key  might  be  compromised.  On  the  other  hand, 
a  principal  A  might  be  tricked  into  thinking  that  the 
wrong  public  key  is  bound  to  principal  B.  The  distinc¬ 
tion  introduced  by  Gaarder  and  Snekkenes  allows  us  to 
differentiate  these  failures.  Nonetheless,  the  only  logical 
use  of  the  corresponding  expressions  occurs  in  their  rule 
R13,  where  both  proper  binding  and  good  private  keys 
are  premises  of  the  rule.  (Actually,  what  is  required  is 
belief  therein,  but  this  is  aside.)  This  is  similarly  true 
for  VO’s  rules.  Thus,  since  both  good  public  binding 
and  good  private  keys  are  required  for  any  logical  use 
of  these  notions,  it  is  sufficient  to  have  notation  that 
captures  them  together.  (Nevertheless,  we  acknowledge 
that  it  would  be  nice  to  have  the  requirements  syntacti¬ 
cally  separated  for  a  more  direct  reflection  of  the  nature 
of  potential  failures.) 

Aside  from  the  key  confirmation  axioms  already  dis¬ 
cussed,  VO  introduces  three  new  logical  rules.  (These 
are  presented  in  appendix  C.)  They  are  all  derivable  in 
SVO,  with  the  translations  discussed  above. 

5  Conclusions  and  Further  Study 

A  formal  method  that  tries  to  cover  all  the 
features  of  cryptographic  protocol  analysis  is 
like  a  Swiss  Army  knife — not  a  terribly  good 
instance  of  any  of  the  tools  it  contains. 

— Roger  Needham 

In  this  paper  we  have  presented  a  logic  that  encom¬ 
passes  four  of  its  predecessors  in  the  BAN  family.  We 
have  also  presented  a  model-theoretic  semantics  for  our 
logic  with  respect  to  which  it  is  sound.  Despite  adding 
expressiveness  and  axioms  sufficient  to  reason  about  all 
the  properties  of  cryptographic  protocols  to  which  these 
four  predecessors  are  addressed,  it  is  no  more  syntacti¬ 
cally  complex  than  any  of  them.  In  fact,  measured  by 
the  number  of  rules  or  axioms  and  their  relative  simplic¬ 
ity,  it  is  less  complex  than  GNY,  AT,  and  VO.  And,  it 
has  about  the  same  number  as  BAN.  In  sum,  we  believe 
this  logic  to  be  as  simple  to  use  or  simpler  than  any  of 
those  from  which  it  is  derived;  yet  it  is  more  expressive 
than  any  of  them. 

We  have  not  looked  at  all  the  logics  that  have  been  de¬ 
rived  from  BAN,  e.g.,  [MB93].  (That  logic  is  a  contrac¬ 
tion  rather  than  an  expansion  of  BAN.  It  is  designed 


to  allow  much  that  is  informal  in  the  analysis  process 
to  be  automated.)  In  particular  we  have  not  discussed 
logics  that  express  either  time  or  message  ordering.  The 
goals  of  these  logics  are  somewhat  more  ambitious  than 
those  discussed  above.  One  of  those  goals  is  to  address 
more  types  of  replay  attacks.  BAN  is  only  directed  at 
classic  replays,  i.e. ,  replays  of  messages  originally  sent 
before  the  current  protocol  began.  GNY,  with  its  not- 
originated-here  syntax,  adds  the  ability  to  reason  about 
some  replay  attacks  using  messages  from  within  the  cur¬ 
rent  protocol  run  but  still  does  not  address  interleav¬ 
ing  attacks,  that  is  attacks  involving  replay  of  messages 
from  at  least  two  contemporaneous  protocol  runs.  (Cf. 
[BGH+92],  [DvOW92],  [Sne92],  [Car93].)  Indeed,  none 
of  the  logics  discussed  in  this  paper  generally  addresses 
interleavings  at  all. 

Failure  of  methods  such  as  BAN  logic  to  address  inter¬ 
leaving  attacks  has  led  some  to  focus  on  the  notion  of 
current  protocol  run  rather  than  on  freshness.  However, 
this  still  leaves  some  types  of  replays  unaddressed  (e.g., 
the  first  attack  presented  in  [Syv93b]).  In  [Syv93a]  a 
temporal  version  of  BAN  logic  is  presented  that  allows 
one  to  express  general  criteria  for  freedom  from  replays. 
It  does  not  give  a  general  means  for  detecting  such  re¬ 
plays.  Thus  it  is  only  a  first  step;  nonetheless,  the  intro¬ 
duced  temporal  operators  are  necessary  if  one  is  to  even 
express  such  criteria  in  a  BAN-like  logic.  That  logic  is 
sound  with  respect  to  the  semantics  presented  in  this 
paper.  In  fact,  fully  integrating  it  into  the  logic  we  have 
given  is  simply  a  matter  of  adding  five  axioms  and  a 
rule. 

We  also  have  yet  to  explore  the  relationship  between 
different  BAN-like  logics  that  reason  about  time  (e.g., 
[GS91])  or  the  relationship  they  have  to  logics  that  allow 
reasoning  about  message  ordering  (e.g.,  [KG91]).  Our 
suspicion  is  that  the  logics  of  [GS91]  and  [KG91]  can  be 
captured  by  the  logic  of  this  paper  with  the  temporal 
additions  of  [Syv93a]. 

Finally,  We  have  not  looked  at  the  still  more  ambitious 
project  of  unifying  the  BAN  family  with  other  logics. 
Nonetheless,  we  have  produced  a  unified  BAN-like  logic 
that  captures  the  features  of  four  other  logics.  We  have 
approached  this  from  the  perspective  of  having  an  in¬ 
tegrated  model.  Thus,  unlike  a  Swiss  Army  knife,  our 
work  is  more  than  a  collection  of  tools.  Indeed,  we  be¬ 
lieve  it  to  be  a  better  instance  of  all  the  tools  it  contains. 
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A  GNY  Rules 


We  present  these  GNY  rules  without  any  explanation 
of  the  rules  or  notation  therein.  Readers  are  referred  to 
[GNY90]  for  details. 


A.l  Rationality  Rule 

Cl 

If  is  a  rule,  then  for  any  principal  P,  so  is 

P  |=  Cl 
P  |=  C2  ' 

A. 2  Being- Told  Rules 


T1 

T2 

T3 


P 

P<  X 
P<(X,Y) 

P<  X 

P«{X}K,  P  3  K 
P<\  X 


T4 

T5 

T6 

A. 3 


P«{X}+K,  P  3  —K 
P<\  X 

P  <  F(X,  Y),  P  3  X 
P  <Y 

P«{X}_K,  P3+K 
P<  X 

Possession  Rules 


PI 

P2 

P3 

P4 

P5 


P<  X 
P  3  X 

P  3  X,  P  3  Y 
P  3  (X,  Y),  P  3  F(X,Y) 
P^(X,Y) 

P  3  X 
P  3  X 
P  3  H( X) 

P  3  F(X,Y),  P  3  X 
P  3  Y 

P  3  K,  P  3  X 
P3{X}k,  P3{ A}-1 


P7 

P8 


P  3  +K,  P  3  X 

p  3 

P  3  -K,  P  3  X 
P3{X}_k 


A. 4  Freshness  Rules 


FI 

F2 

F3 

F4 

F5 

F6 

F7 

F8 


p  N  #P0 

p  N  *(X,Y),  P  |=  #F( X) 

P  \=  #(Y),  P  3  K 
P  |=  #({Y  }K),  P  N  #(Wk) 

P  N  #(X),  P  3  +K 
P  |=  #({X}+k ) 

P  |=  #(Y),  P  3  -K 
P  |=  *{{X}-k) 

P  N  #(+K) 

P  N  *(-k) 

P  N  #(-K) 

P  N  *(+K) 

P  \=  tj>(X),  P  \=  #(K),  P  3  I< 

P  |=  #({Y  }K),  P  N  #(Wk) 

P  N  4>{X),  P  ^  ff(+K),  P  3  +K 
P  |=  #({Y}+if) 


p  N  <KX),  P  |=  #(-K),  P  3  -K 
P  |=  #({Y}_k) 

P  N  #(X),  P  3  X 
P  |= 

fN  *(H(X)),  P3H(  X) 

p  N  *(x) 


A. 5 

R1 

R2 

R3 

R4 

R5 

R6 


Recognizability  Rules 

p  N  <KX) 

P  \=  <f>(X,  Y),  P  \=  f(F(X)) 

P  \=  <j>(X),  P  3  I< 

P  |=  f({X}K),  P  |=  ^({Y}^1) 
P  |=  fiX),  P  3  +K 
P  |=  f({X}+K) 

P  ^  f(X),  P  3  -K 
P  |=  f({X}-K ) 

P  N  ^(*),  P  3  X 

P  N 

P  9  R(Y) 


A. 6  Message  Interpretation  Rules 


We  present  only  14,  16,  and  17. 


P«{X}_K,  P3+K,  P  Q,  P  N  f(X) 

p^Q'r  x,  PNOh  {x}-K 


P6 


P  |=  Q  h  X,  P  \=  #(A) 

P^Q3X 

P^Q'r  (X,Y) 

PWQl-  x 

A. 7  Jurisdiction  Rules 

T1  P^Q\xC,  P\=Q\=C 
P  |=  C 
J2 

P^=Q\*  Q^=*,P^=Q\r  (X~*C),  P^=  #(A) 
P\b  Q\b  C 

TO  P^Q^Q^*,  P\=Q\=Q\=C 

PWQWC 

B  AT  Rules  and  Axioms 


Saying 

A12.  P  said  (X\ ,  .  .  . ,  Xn)  D  P  said  X{ 

A13.P  said  { XQ)S  D  P  said  A 

A14.  P  sees  ‘A’  A  ->P  sees  A  D  P  said  X 

If  ‘  says  ’  is  substituted  for  ‘  said  ’  throughout  in  A12, 
A13,  or  A14,  the  result  is  also  an  axiom. 

Jurisdiction 

A15.  P  controls  p  A  Psaysp  D  p 
Freshness 


We  present  these  AT  rules  and  axioms  without  expla-  ^16  fresh(X{ )  D  fresh(X\  Xn 
nation.  Readers  are  referred  to  [AT91]  for  details. 

There  are  two  rules:  Xll .  fresh{X)  D  fresh({X}K ) 


Rl.  Modus  Ponens:  From  b  p  and  b  p  D  ip  infer  b  ip.  A18./resA(A)  D  fresh({X) s) 
R2.  Necessitation:  From  b  p  infer  b  P  believes  p.  A19./resA(A)  D  fresh(‘ A') 


Axioms  are  all  instances  of  tautologies  of  classical 
propositional  calculus,  and  all  instances  of  the  follow¬ 
ing  axiom  schemata: 

Believing 

For  any  principal  P  and  formulae  p  and  ip, 

Al.  P  believes  p  A  P  believes  (p  D  ip)  D  P  believes  ip 


Nonce- Verification 

A20 .  fresh(X)  A  P  said  X  D  P  says  X 

Shared  Keys  and  Secrets 

A21  .R^R'  =  R'  £  R 


A2.  P  believes  p  D  P  believes  (P  believes  p) 


K  K 

A22 .R^  R'  =  R'  ^  R 


A3.  ->(P  believes  p)  D  P  believes  (->(P  believes  p)) 


C  VO  Rules 


Message  Meaning 

If  P  zfz  S,  then 

A5.  P  ee  Q  A  R  sees  {Xs}k  A  Q  said  X 
A6.  P  ^  Q  A  R  sees  (A s)y  D  Q  said  X 

Seeing 

A7.  P  sees  (Ai ,...,  An)  D  P  sees  A; 

A8.  P  sees  {A^jx  A  P  has  K  D  P  sees  A 
A9.  P  sees  (X®)s  D  P  sees  A 


We  present  the  three  rules  introduced  in  [v093]  (in  the 
original  notation). 

A  has  PKJ1  (A),  A  has  PKS(U) 

KoU  - — - — - 

A  has  A 

where  K  =  /(PKJ^A),  PKS(U)). 


R31 


A  }=  PK J^A),  A  }=  PK e(B),  A  |=  PK^P) 

A'p  A^XB 


where  K  =  f(PKJL(A),PKs(B)). 


A\b  A  B,  A  sees  *  confirm(K) 
A\=  A<^XB 


R32 


A10.P  sees  ‘A’  D  P  sees  A 


All.  P  sees  {A ®}k  A  P  has  K  D 
P  believes  (P  sees  {A^jif) 


